Analytics Story: NjRAT

Date: 2023-09-07 ID: f6d52454-6cf3-4759-9627-5868a3e2b2b1 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.

Why it matters

NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has "worm" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Office Application Spawn rundll32 process Spearphishing Attachment TTP
Office Document Executing Macro Code Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Spearphishing Attachment TTP
Office Product Spawn CMD Process Spearphishing Attachment TTP
Office Product Spawning MSHTA Spearphishing Attachment TTP
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Disable Registry Tool Modify Registry, Disable or Modify Tools TTP
Disabling CMD Application Modify Registry, Disable or Modify Tools TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools TTP
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Windows Abused Web Services Web Service TTP
Windows Admin Permission Discovery Local Groups Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Delete or Modify System Firewall Disable or Modify System Firewall Anomaly
Windows Disable or Modify Tools Via Taskkill Disable or Modify Tools Anomaly
Windows Executable in Loaded Modules Shared Modules TTP
Windows Modify Registry With MD5 Reg Key Name Modify Registry TTP
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall TTP
Windows Njrat Fileless Storage via Registry Fileless Storage TTP
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Windows Office Product Spawned Child Process For Download Spearphishing Attachment TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Name or Location Anomaly
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Time Based Evasion Time Based Evasion TTP
Windows Unsigned DLL Side-Loading DLL Side-Loading Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2